0.0
The most expensive cyberattack in the history of
2.779
Las Vegas did not begin with a virus,
5.339
or a stolen password, or a line of
8.74
code.
9.679
It began with a phone call.
11.919
In the span of a few days, the
13.939
biggest casino company on Earth watched its slot
16.699
machines go dark,
17.82
its hotel room keys stop working, its guests
21.0
stranded in marble lobbies, and roughly $100 million
24.32
evaporate
25.42
because someone picked up a phone, called the
27.859
help desk, and pretended to be an employee.
30.46
And the people who did it were not
32.719
a foreign government.
33.859
They were not career criminals in some distant
36.619
bunker.
37.299
They were teenagers and young men, several of
40.359
them barely out of high school,
41.799
who had figured out the one vulnerability that
44.359
no software update can ever fix.
47.119
This is Fragment 0, Case File 49, The
50.859
Casino Heist.
53.64
The crew has many names.
55.839
Security companies call it UNC-3944, or Scatter
60.74
Swine, or Muddled Libra.
62.859
The world came to know it by the
64.939
name the FBI eventually used, Scattered Spider.
68.579
But the members did not come from the
70.819
world of nation-state espionage.
73.219
They came from a loose online subculture known
76.42
simply as the COM, short for Community,
80.0
a sprawling network of, by some estimates, a
83.4
thousand young native English speakers.
85.42
They were the only ones in the United
86.0
States and the United Kingdom who graduated from
90.299
stealing video game usernames
92.0
and swapping SIM cards to draining cryptocurrency and,
95.28
eventually, holding billion-dollar corporations hostage.
98.9
What made them dangerous was not technical genius
102.2
in the usual sense.
103.659
It was that they sounded right.
106.12
They were young, fluent, confident.
109.48
And they understood something that the entire security
112.26
industry spends billions trying to ignore,
115.42
that behind every impenetrable firewall, there is a
118.939
human being whose job is to be helpful.
122.88
To understand the attack, you have to understand
125.92
the target, not the casino, the help desk.
129.819
Every large company has one, an internal support
133.28
line where employees call when they are locked
135.939
out,
136.419
when they forget a password, when their two
138.879
-factor code stops working.
140.989
The person answering that line has a difficult
143.479
job.
144.199
They must verify.
145.4
They have to verify that the stranger on
146.62
the phone is who they claim to be
148.3
and then help them get back into the
150.319
system.
151.319
Quickly.
152.84
Politely.
153.919
Hundreds of times a day.
156.62
Scattered Spider turned that job into the front
159.5
door.
160.56
According to the joint advisory later published by
163.74
the FBI and the Cybersecurity and Infrastructure Security
167.319
Agency,
168.159
the technique was precise.
170.199
The actors would call a company's IT help
172.96
desk, impersonate a real employee,
175.4
and convince the support worker to reset that
177.939
employee's password and multi-factor authentication.
181.18
The federal advisory has a clinical name for
184.0
it, voice phishing, abusing the trusted relationship of
187.259
the help desk.
188.439
Once inside, they did something clever and durable.
191.96
They did not just steal a session.
194.34
They registered their own multi-factor device and
197.759
then quietly added a second identity provider to
200.379
the company's single sign-on system, a hidden
202.919
master key.
203.78
From that point on,
205.4
they could log in as almost anyone and
207.379
keep logging in even after the real employee
209.8
changed their password.
211.219
They were not guests in the network.
213.18
They had rewritten who the network trusted.
217.28
In September of 2023, they aimed this at
221.02
MGM Resorts, the operator of some of the
224.039
largest casinos on the Las Vegas Strip.
226.939
The gang would later boast about exactly how
229.24
easy it was.
230.28
In a public statement, the ALPHV ransomware group,
234.039
the criminal operation,
235.4
Scattered Spider was working with,
236.86
claimed that all it took was finding an
238.879
MGM employee on LinkedIn and a single 10
241.479
-minute phone call to the help desk impersonating
243.699
them.
244.039
With that, they said, they had administrator access
247.219
to the company's identity systems.
249.799
It is worth being precise here.
251.8
That 10-minute story is the criminal's own
254.639
version of events.
255.719
They're bragging.
257.079
But the underlying technique, talking a help desk
259.899
into a reset, was independently confirmed by the
263.279
security firms that responded.
265.399
What happened next was not a quiet data
267.86
theft.
268.439
It was a public collapse.
270.519
On the gaming floor, slot machines went dark,
273.62
hundreds of them, silent.
275.54
At the hotels, the digital room keys stopped
278.639
working, leaving guests locked out of their rooms.
281.699
Reservation systems failed.
283.579
Restaurant and payment systems went down.
286.139
Staff fell back to pen and paper, paying
288.519
out jackpots by hand and writing reservations on
291.56
physical cards.
292.56
For roughly 10 days,
294.259
one of the most sophisticated,
295.399
the most sophisticated hospitality machines in the world
297.62
ran like it was 1960.
300.04
Behind the scenes, the attackers had deployed ransomware,
303.8
encrypting hundreds of the company's servers.
306.459
And MGM made a decision that would define
309.079
the case.
309.8
It refused to pay.
311.779
The cost of that refusal showed up later
314.379
in a filing with federal regulators.
316.98
MGM estimated the attack cut roughly $100 million
320.399
from a single month's earnings.
324.12
But MGM was not the first casino the
327.379
crew had walked into that summer, it was
330.06
the second, and the first one made the
332.8
opposite choice.
334.3
Weeks earlier, the same kind of attack had
337.199
hit Caesars Entertainment, and Caesars handled it very
340.199
differently.
341.519
According to its own disclosure to regulators, Caesars
345.379
was breached the same way, a social engineering
348.04
attack, this time against an outsourced IT support
351.42
vendor.
351.939
The intruders got in, moved through the network,
355.439
and copied the Crown Jewels, the company's loyalty
358.54
program database.
359.839
Around 6 terabytes of data, belonging to more
363.36
than 65 million rewards members.
366.339
Names, driver's license numbers, social security numbers.
370.399
And then, Caesars did the thing MGM would
373.86
refuse to do.
374.959
It negotiated, and it paid.
377.459
The reported figure was around $15 million, roughly
381.12
half of an entire year.
381.939
The initial $30 million demand.
383.92
The payment was quiet.
385.519
There was no 10-day public meltdown, no
388.0
stranded guests, no dark slot machines.
390.98
Caesars bought silence and continuity.
393.66
So consider the two companies, side by side,
396.879
hit by the same crew within the same
399.04
few weeks.
400.019
One paid and kept the lights on, one
402.68
refused and collapsed in public.
404.779
And here is the uncomfortable part, it did
407.24
not save either of them.
409.0
MGM lost $100 million.
410.8
And its operational dignity.
413.36
Caesars paid a fortune.
414.8
And its customers' data had already been copied
417.379
and carried out the door.
420.439
There is one more thing about this case
422.8
that separates it from almost every other story
425.66
in this archive.
426.819
This one has faces.
428.519
And names.
429.98
And, eventually, handcuffs.
432.939
Because the attackers were not ghosts operating from
436.56
a country beyond the reach of law.
438.579
They were young men living in Florida.
440.8
Texas.
441.68
North Carolina.
442.86
And the United Kingdom.
444.319
And, in November of 2024, the United States
447.72
Department of Justice charged five of them.
450.339
Among them was a 20-year-old from
452.639
Palm Coast, Florida, who went by the handle
454.86
King Bob.
455.819
He would plead guilty and be sentenced to
457.939
10 years in federal prison, ordered to repay
460.399
around $13 million.
462.439
Another, a young Scotsman known online as Tyler
465.639
Bepp, was tracked to Spain, arrested and extradited
468.8
to the United States,
469.759
where he admitted to stealing at least $8
471.699
million in cryptocurrency from companies like Twilio and
475.019
DoorDash.
475.72
His sentencing carries a possible maximum of more
478.48
than two decades.
479.639
They could talk their way past a Fortune
482.22
500 help desk in 10 minutes.
484.699
They could not talk their way out of
486.86
an international manhunt.
490.04
The casinos came back online.
492.48
The systems were rebuilt.
494.42
The lawsuits filed.
495.759
The regulators briefed.
497.24
And the lights of the strip went back
499.22
to blinding.
500.18
And the security industry absorbed the same lesson
503.22
it keeps refusing to learn.
505.36
You can spend $100 million on firewalls, intrusion
509.759
detection, encryption, and threat intelligence.
512.919
You can build a wall around your network
515.44
that no piece of software can climb.
517.86
And a teenager with a calm voice and
520.46
a name from LinkedIn can still call the
522.679
front desk, ask politely to be let in,
525.32
and be let in.
526.44
The most dangerous exploit was never in the
530.019
code.
530.5
It was in the simple human wish to
533.179
be helpful to the voice on the other
535.179
end of the line.
536.46
This has been Fragment Zero, Case File 49,
540.519
The Casino Heist.
